diff options
author | Azul <azul@leap.se> | 2012-07-02 17:50:33 +0200 |
---|---|---|
committer | Azul <azul@leap.se> | 2012-07-02 17:50:33 +0200 |
commit | 07fe2d8976db0ec267bd57ded90778f0d7695478 (patch) | |
tree | e68f4f73b300e78854bca781f3accb2341390d77 /javascript | |
parent | 337df30b51d2c1bdddcb7fbd05f0ccf46a7a31b3 (diff) |
reject server response with error message if B=0
Diffstat (limited to 'javascript')
-rw-r--r-- | javascript/spec/login.js | 13 | ||||
-rw-r--r-- | javascript/srp.js | 5 |
2 files changed, 17 insertions, 1 deletions
diff --git a/javascript/spec/login.js b/javascript/spec/login.js index 55cfa16..ea86584 100644 --- a/javascript/spec/login.js +++ b/javascript/spec/login.js @@ -5,7 +5,7 @@ describe("Login", function() { expect(typeof srp.identify).toBe('function'); }); - describe("Successfull Login (INTEGRATION)", function (){ + describe("(INTEGRATION)", function (){ // a valid auth attempt for the user / password given in the spec runner: var a = 'af141ae6'; var B = '887005895b1f5528b4e4dfdce914f73e763b96d3c901d2f41d8b8cd26255a75'; @@ -51,6 +51,17 @@ describe("Login", function() { expect(this.srp.success).toHaveBeenCalled(); expect(window.location.hash).toBe("#logged_in") }); + + it("rejects B = 0", function(){ + this.srp.error_message = sinon.spy(); + this.srp.identify(); + + this.expectRequest('handshake/', 'I=user&A='+A); + this.respondJSON({s: salt, B: 0}); + // aborting if B=0 + expect(this.requests).toEqual([]); + expect(this.srp.error_message).toHaveBeenCalled(); + }); }); diff --git a/javascript/srp.js b/javascript/srp.js index b84786e..b04a350 100644 --- a/javascript/srp.js +++ b/javascript/srp.js @@ -185,6 +185,11 @@ function SRP() if(response.error) { that.error_message(response.error); } + // B = 0 will make the algorithm always succeed - refuse such a server + // answer + else if(response.B == 0) { + that.error_message("Server send random number 0 - this is not allowed"); + } // If there is no algorithm specified, calculate M given s, B, and P else if(!response.a) { |